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_ EXECUTIVE  SUMMARY  ◄ - 12  pt  bold  centered 

2  blank  lines 

INTRODUCTION  — — — — - 

* -  1  blank  line 

Formal  methods  are  mathematically  based  techniques,  often  supported  by  reasoning  tools  that  can 
►offer  a  rigorous  and  effective  way  to  model,  design  and  analyze  computer  systems.  This  report  < 
summarizes  the  results  of  an  independent  study  of  12  cases  in  which  formal  methods  were  applied  to  the 
construction  of  industrial  systems.  A  major  conclusion  of  the  study  is  that  formal  methods,  while  still 
immature  in  certain  important  respects,  are  beginning  to  be  used  seriously  and  successfully  by  industry 
to  design  and  develop  computer  systems. 

Canada’s  Atomic  Energy  Control  Board  (ABCB),  the  U.S.  National  Institute  of  Science  and 
Technology  (NIST),  and  the  U.S.  Naval  Research  Laboratory  (NRL)  commissioned  this  study  to 
determine  die  industrial  trade  record  of  formal  methods  to  date  and  to  assess  the  efficacy  of  formal 
methods  for  meeting  their  needs.  The  study  had  three  main  objectives: 

1.  To  better  inform  deliberations  within  industry  and  government  on  standards  and  regulations; 

2.  To  provide  an  authoritative  record  on  the  practical  experience  of  formal  methods  to  date;  and 

3.  To  suggest  areas  where  further  research  and  technology  development  are  needed. 

These  objectives  have  been  accomplished  through  the  publication  of  thii  report.  The  report  consists 
of  two  volumes  and  this  Executive  Summary.  The  first  volume  is  the  analysis  of  the  supporting  data 
contained  in  die  second  volume.  Volume  One  includes  a  discussion  on  formal  methods  and  a  brief 
characterization  of  the  formal  and  related  methods  used  in  the  cases,  a  summary  of  the  12  cases,  a 
description  of  the  methodology  used  in  the  survey,  a  cluster-by-cluster  analysis  of  the  data,  a  discussion 
on  the  key  events  and  timing  associated  with  each  case,  and  an  analysis  of  our  formal  methods  RAD 
summary;  it  concludes  with  the  findings,  observations,  and  conclusions.  The  appendixes  to  Volume  One 
contain  brief  biographies  of  the  authors,  brief  characterizations  of  11  formal  methods  used  in  the  cases, 
the  initial  questionnaire,  the  questionnaire  used  in  our  stnictured  interviews,  and  acknowledgements. 
Volume  Two  contains  detailed  supporting  data  on  the  12  cases. 

Through  these  means,  the  sponsors  have  been  provided  with  an  organized  body  of  systematic 
information,  assessments,  evaluations  and  observations  that  interpret  and  extrapolate  usefol  data  on  cases 
of  significant  industrial  scale  and  applicability  to  real-world  products. 

This  Executive  Summary  presents  the  following: 

1.  A  summary  of  the  major  findings  of  the  study. 

2.  Recommendations  for  continuing  RAD  in  fonnal  methods. 

FINDINGS  AND  RECOMMENDATIONS 

The  following  conclusions  are  the  result  of  applying  the  expertise  of  the  authors  in  analyzing  the 
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There  are  two  blank  lines  between  the  title  and  the  start  of  the  text.  There  is  one  blank  line  between 
paragraphs. 
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No  Header 
on  this  page 


AN  INTERNATIONAL  SURVEY  OF  INDUSTRIAL  APPLICATIONS 

OF  FORMAL  METHODS  - 

12  pt  bold  centered 

VOLUME  1  - 

PURPOSE,  APPROACH,  ANALYSIS  AND  CONCLUSIONS 


INTRODUCTION  - 

< -  1  blank  line 

Formal  methods  are  mathematically  based  techniques,  often  supported  by  reasoning  tools  Oat  can 
►offer  a  rigorous  and  effective  way  to  model,  design  and  analyze  computer  systems.  The  purpose  of  this  - 
study  is  to  evaluate  international  industrial  experience  in  using  formal  methods.  The  cases  selected  are, 
we  believe,  representative  of  industrial-grade  projects  and  span  a  variety  of  application  domains.  The 
study  had  three  main  objectives: 

•  To  better  inform  deliberations  within  industry  and  government  on  standards  and  regulations; 

•  To  provide  an  authoritative  record  on  the  practical  experience  of  formal  methoda  to  date;  and 

•  To  suggest  areas  where  future  research  and  technology  development  are  needed. 

This  study  was  undertaken  by  three  experts  in  formal  methods  and  software  engineering:  Dan 
Craigen  of  ORA  Canada,  Susan  Gerhart  of  Applied  Formal  Methods,  and  Ted  Ralston  of  Ralston 
Research  Associates.  Robin  Bloomfield  of  Adelard  was  involved  with  the  Darlington  Nuclear  Genera  ing 
Station  Shutdown  System  case.  Brief  biographies  of  the  authors  ate  included  in  Appendix  A. 

Support  for  this  study  was  provided  by  organizations  in  Canada  and  die  United  States.  The  Atomic 
Energy  Control  Board  of  Canada  (AECB)  provided  suppoit  for  Dan  Craigen  and  for  the  technical  editing 
provided  by  Karen  Summersldll.  The  Naval  Research  Laboratory  (NRL),  Washington,  DC,  provided 
support  for  all  three  authors.  The  U.S.  National  Institute  of  Standards  and  Technology  (NIST)  provided 
support  for  Ted  Ralston. 

This  final  report  consists  of  two  volumes.  This  first  volume  describes  the  study,  formal  methods,  the 
cases  that  were  studied,  our  approach  to  performing  the  study,  and  our  analysis,  findings,  and 
conclusions. 

The  second  volume  of  the  final  report  provides  the  details  on  the  case  studies.  For  each  of  the  case 
studies,  we  present  a  case  description,  summarize  the  information  obtained  (from  interviews  and  the 
literature),  provide  an  evaluation  of  the  case,  highlight  RAD  issues  pertaining  to  formal  methods,  and 
provide  some  conclusions.  Earlier  drafts  of  the  case  studies  were  reviewed  by  the  relevant  participants. 

From  the  authors’  analysis  of  the  12  cues  and  the  stated  RAD  needs  from  those  we  interviewed, 
other  areu  are  suggested  for  future  RAD.  These  areas  are  drawn  from  the  particular  set  of  cases  that  we 
studied. 


Manoacript  approved  March  31,  1993. 
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Margins 


Inches 

Points 

Top 

0.75 

54 

Bottom 

0.75 

54 

Left 

1 

72 

Right 

1 

72 

Header  for  Left-Hand  Pages 

The  header  for  left-hand  pages  contains  the  page  number  (flush  left)  and  the  last  name(s)  of  the 
author(s)  (flush  right)  followed  by  a  hard  return  (or  3  pt  to  ensure  descenders  do  not  run  into  or  touch 
horizontal  line).  NOTE:  In  WordPerfect  5.1  for  DOS  this  is  a  hard  return  plus  1/72  in.  (1  pt). 

If  there  is  one  author,  use  the  author’s  full  name.  If  two  or  three  authors,  use  their  last  names  only. 
If  there  are  more  than  three  authors,  use  only  the  first  author’s  name,  followed  by  “et  al.”  (example: 
Craigen  et  al.).  Note  that  there  is  no  comma  in  front  of  et  al. 

Text  is  10  pt  CG  Times  italic. 

A  full-width  horizontal  line  is  placed  under  the  header  text.  This  line  is  0.014  in.  (1  pt)  thick  and 
6.5  in.  long  (468  pt).  After  the  line  should  be  a  vertical  space  of  0.025  in.  (18  pt). 

Vertical  Spacing 

There  are  two  blank  lines  between  the  title  and  the  start  of  the  text.  There  is  one  blank  line  between 
paragraphs. 

There  is  one  blank  line  between  headings  1,  2,  3,  and  4  and  the  text  following  these  headings. 
Headings  5  and  6  have  the  text  begin  on  the  same  line  right  after  the  heading. 
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0.375  In. 


Craigen,  Gerhart,  and  Ralston 


FORMAL  METHODS 


Before  proceeding,  we  provide  an  historical  perspective,  explain  the  term  "formal  methods"  and  -< 
►introduce  the  broad  spectrum  of  formal  methods  techniques  that  are  represented  in  the  survey. 

Historical  Perspective 

For  over  two  decades,  researchers  have  explored  topics  in  the  mathematics  of  program  synthesis  and 
analysis.  The  article  ‘Assigning  Meaning  to  Programs"  (Floyd  1968)  stated  the  goal  of  both  (1)  semantics 
of  programming  languages,  and  (2)  specification  and  reasoning  about  individual  programs.  This  goal 
evolved  into  the  key  idea  of  inductive  assertions  then  defining  both  language  semantics  and  program 
meaning  by  relationships  among  pre-conditions,  program  statements,  and  post-conditions.  The  intriguing 
possibility  of  mechanical  proof  of  programs,  or  alternatively,  heuristic  generation  of  programs,  yielded 
many  exploratory  systems  and  theoretical  insights.  Two  barriers  to  practical  application  arose:  (1)  it  was 
difficult  to  capture  the  foil  semantic  content  of  programming  languages  and  operating  environments,  and 
(2)  it  was  a  constant  challenge  to  express  the  ftmctional  and  nonfunctional  intent  for  a  program  in  its 
context  of  use. 

Important  Concepts 

Research  led  to  many  inqxntant  concepts:  formal  definitions  of  complex  language  features  and 
identification  of  pitfalls  of  unnecessary  and  overly  complex  features;  specification  languages  for  abstract 
data  types,  concurrent  processes,  and  abstract  machines;  a  theory  of  abstraction  behind  hierarchical 
system  structures;  mechanizable  logics  that  permitted  computational  reasoning  about  program  properties; 
and  theories  of  domains  such  as  security,  synchronous  docks,  microprocessors,  and  compiling.  Practical 
applications  were  found  in  these  dnmhn  and  small-to-medium  scale  examples  were  worked  out. 
Industrialization  began  in  the  U.S.  about  a  decade  ago  through  the  government  mandate  of  certification 
of  security  properties. 

Practice  went  a  different  route.  Verification  was  achieved  (and  defined)  through  case-based  reasoning 
(i.e.,  testing)  with  numerous  criteria  and  strategies  for  good  testing  practice  (primarily  functional  and 
structural  coverage).  Reviews  provided  the  primary  mean  of  intdiedual  control:  mental  checking  of 
desirable  properties  of  systems  under  development  and  the  concomitant  communication  among 
stakeholder!  (such  as  managers,  designers,  testers,  and  documentors).  Heuristic  methodologies  for 
structured  requirements  analysis  and  design  offered  additional  guidance  toward  systems  that  captured  the 
conventional  wisdom  of  good  structure  and  provided  a  common  meant  of  communication. 

Verification 

Researchers  developed  a  theoretical  bate  for  testing  and  the  results,  although  mostly  negative, 
suggested  various  heuristics  for  testing  that  more  closely  approximated  an  ideal  where  each  test  case 
meant  something  with  tome  chance  of  revealing  errors  or  demonstrating  new  evidence  of  correctness. 
The  following  paragraphs  elaborate  on  this  information. 

Heuristic  Methodologies— Heuristic  methodologies  from  practice  never  gained  much  research 
attention  although  abstract  data  types  gave  rise  to  object-oriented  languages  and  methods  to  add  even  more 
structure  and  support  to  heuristic  system  development.  Effort  in  this  area  is  somewhat  limited  and  should 
be  expanded  for  additional  analysis.  A  number  of  important  concepts  and  their  interrelationships  need  to 
be  explored. 

0.75  In. 


Fig.  6  —  Regular  text  page,  left-hand  page 
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REGULAR  TEXT  PAGE,  RIGHT-HAND  PAGE 

A  right-hand  text  page  is  shown  in  the  sample.  It  differs  from  the  left-hand  text  page  only  in  its 
header. 

Margins 


Inches 

Points 

Top 

0.75 

54 

Bottom 

0.75 

54 

Left 

1 

72 

Right 

1 

72 

Header  for  Right-Hand  Pages 

The  header  for  right-hand  pages  contains  a  brief  version  of  the  report’s  title  (flush  left)  and  the  page 
number  (flush  right)  followed  by  a  hard  return  (or  3  pt  to  ensure  descenders  do  not  run  into  or  touch 
horizontal  line).  NOTE:  In  WordPerfect  5.1  for  DOS  this  is  a  hard  return  plus  1/72  in.  (1  pt). 

Text  is  10  pt  CG  Times  italic. 

A  full-width  horizontal  line  is  placed  under  the  header  text.  This  line  is  0.014  in.  (1  pt)  thick  and 
6.5  in.  long  (468  pt).  After  the  line  should  be  a  vertical  space  of  0.25  in.  (18  pt). 

Vertical  Spacing 

There  are  two  blank  lines  between  the  title  and  the  start  of  the  text.  There  is  one  blank  line  between 
paragraphs. 

There  is  one  blank  line  between  headings  1,  2,  3,  and  4  and  the  text  following  these  headings. 
Headings  5  and  6  have  the  text  begin  on  the  same  line  right  after  the  heading. 
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International  Survey  of  Industrial  Applications— Voi.  1 _ 3 

Theoretical  reaulta— ' Theoretical  results  have  also  played  a  role  in  system  development  (e.g.,  data 
compression,  error  correction,  and  encryption  algorithms  for  disk  and  network  storage  and  data  structures  e 
—►permit  representation  and  searching  of  data  bases  and  processing  of  visual  images). 

Other  complexities— Especially  demanding  are  theories  and  strategies  for  managing  distributed 
computation  and  thus  on  both  physically  distributed  resources  and  multiprocessor  computing  systems. 

No  nutter  what  approach  is  applied  in  software  development,  common  information 

processing  needs  arise:  maintaining  consistency  among,  and  intelligibility  of,  an  interwoven  mass  of 
documents  expressing  the  points  of  view  of  many  stakeholders,  with  constant  change  in  content  and  often 
change  in  structure  of  that  mass,  while  the  set  of  stakeholders  also  changes  over  what  may  be  many  years 
of  a  system’s  life.  Programming  environments  have  evolved  to  addresa  this  need:  structured  editors, 
configuration  management,  data  base  representations,  graphical  interfeces,  and  ways  of  coordinating  work 
flow  among,  as  well  as  work  products  of  groups  of  system  stakeholders.  Particularly  important  are  those 
assets  that  are  viewed  as  worthy  of  use  beyond  their  project  context  (e.g.,  software  components, 
document  templates,  review  guidebooks,  error  and  productivity  data).  More  research  will  be  done  in  this 
area  in  the  ftiture. 

Thread  in  Practice 

Yet  another  thread  in  practice  has  been  the  greater  attention  forced  onto  the  process  aspects  of  system 
development:  how  an  organization  manages  and  improves  its  infrastructure  and  specific  procedures.  While 
the  logic-based  form  of  mathematical  approaches  to  system  description  was  maturing,  so  was  another 
form:  statistical  reasoning  about  errors  and  growth  of  reliability  over  time,  with  die  objective  of 
introducing  industrial  quality  control  and  assurance  practices. 

Thus  we  have  the  setting  for  this  study  and  the  present  report:  mathematical  techniques  have  been 
maturing  for  25  years  while  non-mathematical  techniques  and  general  concerns  for  process  have  driven 
the  practice.  In  the  past  five  yean,  sparse  anecdotal  evidence  indicated  that  formal  methods  were 
beginning  to  be  used  in  industrial  practice,  leading  to  sponsorship  of  the  present  study  to  determine 
systematically  and  factually  where  these  applications  were  occurring,  why,  and  how  the  methods  were 
being  used. 

What  Are  Formal  Methods? 

Definitions  of  formal  methods  abound.  In  the  FM89  report  (Craigen  and  Summerskill  1989),  formal 
methods  were  defined  as: 

“Methods  that  add  mathematical  rigor  to  the  development,  analysis,  and  operation  of  computer 

systems  and  to  applications  based  thereupon.* 

“...are  nothing  but  the  application  of  applied  mathematics— in  this  case,  formal  logic— to  the  design 

and  analysis  of  software-intensive  systems.” 

In  more  concrete  terms,  there  has  been  a  tendency,  on  the  part  of  the  formal  methods  community, 
to  define  formal  methods  in  terms  of  a  Hilbert-style  axiomadzation.  For  example,  Robin  Bloomfield  has 
defined  formal  methods  as  follows: 


“A  software  specification  and  production  method,  based  on  a  mathematical  system,  that  comprises 
the  following: 


0.75  In. 


Fig.  7  —  Regular  text  page,  right-hand  page 
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FIGURES 

Location 

Place  figures  as  close  as  possible  to  where  they  are  first  mentioned.  Figures  that  are  full  page  in  size 
are  optically  centered  (a  little  above  center).  Avoid  landscape  and  fold-in  figures  if  possible.  See  your 
Site  Technical  Information  Office  for  details  on  how  to  handle  these  special  case  figures. 

Placement 

Center  the  figure  horizontally.  Place  it  0.5  in.  (36  pt)  below  the  baseline  of  the  last  line  of  text. 
There  is  0.25  in.  (18  pt)  between  the  bottom  of  the  figure  and  the  baseline  of  the  first  line  of  the  caption. 
Allow  0.5  in.  (36  pt)  between  the  baseline  of  the  last  line  of  the  caption  and  the  top  of  the  next  line  of 
text.  Labels  and  callouts  are  set  in  Helvetica  and  no  smaller  that  9  pt  after  final  reduction. 

Captions 

Center  the  figure  caption  below  the  figure.  The  baseline  of  the  first  line  of  the  caption  is  0.25  in.  (18 
pt)  below  the  bottom  of  the  figure.  Type  is  9  pt  CG  Times.  The  first  word  is  capitalized— the  others  are 
not  (unless  proper  nouns).  The  caption  does  not  end  with  a  period  (even  if  it  is  a  complete  sentence) 
unless  it  is  followed  by  other  sentences.  If  space  below  the  figure  is  limited,  captions  may  be  placed 
beside  the  figure  if  there  is  room.  The  word  figure  is  abbreviated  as  Fig.  There  is  an  em-dash  between 
the  figure  number  and  the  first  word  of  the  caption.  An  em-dash  is  equal  in  length  to  the  type  size. 

Text  Figures 

Text  figures  are  set  in  10  pt  CG  Times.  (See  example  on  page  29.) 

TABLES 

Place  tables  within  the  text  as  close  as  possible  to  where  they  are  first  mentioned. 

Placement 

Center  the  table  horizontally.  Place  it  0.5  in.  (36  pt)  below  the  last  line  of  text,  starting  with  the  first 
line  of  the  table  title.  Allow  one  hard  return  (0.17  in.  or  12  pt)  between  the  last  line  of  the  title  and  the 
top  of  the  table.  Allow  0.5  in.  (36  pt)  between  the  bottom  of  the  table  and  the  next  line  of  text. 

Titles 

Center  the  table  title  0.25  in.  (18  pt)  above  the  table.  Type  is  11  pt  CG  Times.  Words  in  the  title 
(except  for  articles)  are  initial  caps.  The  title  does  not  end  with  a  period  (even  if  it  is  a  complete  sentence) 
unless  it  is  followed  by  other  sentences.  Place  an  em-dash  between  the  table  number  and  the  first  word 
of  the  title.  An  em-dash  is  equal  in  length  to  the  type  size.  In  this  case,  the  em-dash  is  10  pt  long  because 
the  type  is  10  pt  in  size.  If  the  title  is  more  than  one  sentence,  only  the  first  words  are  capitalized. 

Size 


Tables  are  set  in  1 1  pt  CG  Times.  Keep  tables  within  the  image  area  of  the  page  (6.5  x  10  in.).  To 
fit  the  area,  tables  may  be  set  in  a  smaller  type  size  (but  no  smaller  than  8  pt). 
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PATTERN  RECOGNITION  ALGORITHM 


Suppose  we  have  a  digitized  /  x  J  image  g  and  that  this  is  convolved  with  a  mask  or  kernel  k  of  size 
(2N  +  1)  x  (2 N  +  1)  to  form  an  unsealed  image  h.  The  variables  involved  are  defined  by  Table  1.  The 
process  of  optimization,  as  shown  in  Pig.  1,  comprises  a  search  for  the  mask  in  a  domain,  or  set  of 
acceptable  masks,  K  for  which  fiG,  k)  is  maximum.  ^  11  pt 

5  blank  llnce]  w0.5ln.  ^ 

Table  1  —  Definitions  of  Variables  n  • 


0.25  In. 


Domainf 


Original  Image  g  -  g(i,j)  g,  i,  j  €  Z  OSjsC 

Isis/ 

lsjs; 

Convolution  Mask  k  »  k(m,  n)  k  €  R  -K  S  k  S  K 

m,  n  €  Z  -N  s  m  S  N 


*Z  npnwtt  Ae  M  of  all  inlefen  tad  n  Ae  Mt  <rf  Ul  real 
tG  b  Ae  grey  level  A  g,  sad  K  is  Ae  mailman 


jo.5  in. 


iMvlmnm  abiohde  value  tor  an  element  of  k. 


Training 


0.25  in. 


_ _ Fig.  I  —  Schematic  dkgna  of  aoaooomona  target-deaectioa  lyttea  -4 -  y  pt 

f  1 0.5  In.  - 

The  convolution  operation  h  -  g  +  *  is  commonly  defined  by 

|f 

W.j)  “  £  £  g(f  ♦«./♦«)  •  *(«.  »)•  (1) 

a— N 

Where  a  mule  is  used  as  a  feature  detector  (as  in  the  current  project),  it  is  normal  to  apply  the  zero-sum 
constraint 

£  52  *<w>  ")  ■  °>  ® 

to  prevent  response  to  a  uniformly  gray  image.  In  this  case,  we  would  expect  the  mean  gray  level  for 
the  convolved  image  to  be  zero  to  that  in  optimizing  the  mask  k,  we  will  be  able  to  make  use  of  the 
energy  (or  normalized  variance)  v  of  the  convolved  image. 


Fig.  8  —  Figure  and  table 
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APPENDIXES 

Appendixes  (if  used)  follow  the  main  body  of  text  and  contain  supplemental  information.  Although 
they  stand  alone,  they  must  be  mentioned  in  the  text.  They  are  set  up  in  the  same  manner  as  the  first  page 
of  text  with  two  exceptions: 

•  The  headers  for  left-  and  right-hand  pages  continue,  except  the  first  page  of  each  appendix. 

•  There  is  no  “Manuscript  approved  [date]”  footer. 


Margins— 1st  Page 

Inches 

Points 

Top 

2 

144 

Bottom 

0.75 

54 

Left 

1 

72 

Right 

1 

72 

Margins— Following  Pages 

Inches 

Points 

Top 

1 

72 

Bottom 

0.75 

54 

Left 

1 

72 

Right 

1 

72 

Title 

The  word  “Appendix”  on  the  first  page  of  the  appendix  starts  2  in.  from  the  top  of  the  page.  There 
is  a  blank  line  between  the  appendix  designation  and  die  title.  Both  are  set  in  12  pt  bold  CG  Times  with 
full  caps. 

Text 

There  are  two  blank  lines  between  the  last  line  of  the  title  and  the  first  line  of  the  text.  Text  on  the 
succeeding  pages  begins  at  the  top  of  the  page. 
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Text:  11  pt 


No  header 
on  this  page 


Appendix  A  *  -  . 

FORMAL  METHODS  TECHNIQUES 

2  blank  lines 


12  pt  bold  centered 


SOFTWARE  COST  REDUCTION  (SCR)  - 

< -  1  blank  line 

The  description  presented  here  is  based  on  our  understanding  of  the  work  performed  at  Ontario 
Hydro  (on  the  Darlington  shutdown  system).  This  work  includes  evolutionary  enhancements  to  (Henry  -< 
1978)  try  Punas,  his  colleagues,  and  others. 

►How  the  Method  Works 

Representations  Used 

Tabular  representations  of  software  requirements  (described  in  a  blackbox  manner)  and  of  program 
functions.  In  the  latter  case,  the  tables  are  called  'program  function  tables’  and,  essentially,  are 
“strongest  post  condition”  descriptions  of  a  procedure.  The  strongest  post  condition  explicitly  states  how 
a  variable  is  modified  by  a  procedure.  Also  included  are  “linkage  tables.” 

The  tabular  approach  to  describing  software  requirements  is  derived  from  the  work  performed  at 
NRL.  For  this  reason,  we  call  the  approach  “SCR- style."  The  derivation  of  program  function  tables  and 
the  use  of  proofs  (described  below)  were  not  part  of  the  initial  work  on  the  SCR. 

Steps  Performed 

The  Darlington  project  was  generally  a  reverse  engineering  exercise.  The  code  already  existed  when 
they  developed  the  specifications  and  other  tables.  Proofs  were  required  to  demonstrate  that  a  routine 
specification  was  equivalent  to  the  program  function  description.  Proofs  were  performed  by  hand,  though 
it  could  be  mechanized. 

Code  linkage  tables  identify  how  the  outputs  of  a  program  function  table  may  be  used  as  inputs  to 
other  program  function  tables.  It  is  through  code  linkage  tables  that  all  the  physical  inputs  and  program 
variables  that  have  an  effect  on  a  physical  output  are  identified.  Similar  linkage  tables  exist  for  the 
specification.  Hence,  linkage  tables  help  to  modularize  the  descriptions  of  the  specification  and  code. 

Interaction  between  asynchronous  processes  was  viewed  as  interprocess  I/O  occurring  via  shared  data 
objects.  Each  process  had  its  own  specifications  and  program  function  tables.  Processes  were  analyzed 
separately  and  the  process  interaction  was  handled  separately  from  program  function  table  analysis. 

Tools  Applied 

No  specific  tools  exist  to  support  the  SCR-style  of  documentation.  Tools  are  expected  to  be 
developed. 


0.5  in. 


Fig.  9  —  Appendix 
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CLASSIFICATION  MARKINGS 
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Prepared  by  the  Site  Technical  Information  Office. 

Every  Page 

The  overall  classification  of  the  report  is  placed  at  the  top  and  bottom  of  each  page,  as  shown, 
centered  in  14  pt  bold  Univers  full  caps.  This  requires  modification  of  the  headers  and  footers. 

Headers 

The  headers  are  modified  by  adding  two  lines  at  the  top  of  the  header.  The  first  line  is  for  the  page 
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All  headings  and  titles  must  have  their  classifications  indicated  in  parentheses  immediately  following 
them. 

Text 

Enter  a  classification  marking  following  the  title  and  preceding  every  heading  and  paragraph. 

If  a  paragraph  is  continued  from  the  preceding  page,  the  first  line  of  text  on  the  page  must  contain 
the  classification  marking  of  its  paragraph,  e.g.,  “((U)  paragraph  continues).” 

Footnotes 

Enter  a  classification  marking  following  the  footnote  marker  and  before  the  footnote  text. 

Example:  *(U)  This  is  a  footnote. 

Each  footnote  receives  a  classification  marking. 

Figures 

The  classification  of  each  figure  is  typed  centered,  full  caps,  CG  Times  9  pt,  0.25  in.  (18  pt)  below 
the  figure.  The  figure  caption  is  placed  0.065  in.  (5  pt)  below  the  classification.  The  figure  is  marked 
even  if  it  is  unclassified. 
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Caption 

The  classification  of  the  figure  caption  is  placed  after  the  em-dash  following  the  figure  number  and 
just  before  the  first  word  of  the  caption  (e.g.,  Fig.  10  —  (U)  The  caption). 

Tables 

The  classification  of  each  table  is  typed  centered,  full  caps,  9  pt  CG  Times,  0.25  in.  (18  pt)  below 
the  table. 

Title 

The  classification  of  the  table  title  is  placed  after  the  table  number  and  just  before  the  first  word  of 
the  title,  e.g..  Table  2  —  (U)  The  title. 

Appendixes 

All  elements  of  an  appendix  are  handled  exactly  the  same  as  text  pages.  Although  an  unclassified 
appendix  does  not  require  headings  or  paragraph  markings,  it  must  carry  the  following  statement  in  12 
pt  bold,  initial  caps,  centered  above  the  title  and  appendix  designation  on  the  first  page  of  the  appendix. 

(This  Appendix  Is  Unclassified) 


Blank  Pages 

Blank  pages  have  the  following  statement  centered  on  the  page,  “This  Page  Intentionally  Left  Blank.” 
See  Fig.  19.  These  blank  pages  are  numbered. 
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EXECUTIVE  SUMMARY  (U) 


(U)  INTRODUCTION 

(U)  Formal  methods  are  mathematically  based  techniques,  often  supported  by  reasoning  tools  that 
can  offer  a  rigorous  and  effective  way  to  model,  design  and  analyze  computer  systems.  This  report 
summarizes  the  results  of  an  imfapendent  study  of  12  cases  in  which  formal  methods  were  applied  to  the 
construction  of  industrial  systems.  A  major  conclusion  of  the  study  is  that  formal  methods,  while  still 
immature  in  certain  important  respects,  are  beginning  to  be  used  seriously  and  successfully  by  industry 
to  design  and  develop  computer  systems. 

(U)  Canada's  Atomic  Energy  Control  Board  (AECB),  the  U.S.  National  Institute  of  Science  and 
Technology  (NIST),  and  die  U.S.  Naval  Research  Laboratory  (NRL)  commissioned  this  study  to 
determine  the  industrial  track  record  of  formal  methods  to  date  and  to  assess  the  efficacy  of  formal 
methods  for  meeting  their  needs.  The  study  had  three  main  objectives: 

1.  (U)  To  better  inform  deliberations  within  industry  tnd  government  on  itandsrds  and  regulations; 

2.  (U)  To  provide  an  authorihttrve  record  on  die  practical  esperience  of  formal  methods  to  date; 

3.  (U)  To  suggest  areas  where  fortfaer  research  and  technology  development  are  needed. 

(U)  These  objectives  have  been  accomplished  through  the  publication  of  this  report.  The  report 
consists  of  two  volumes  and  this  Executive  Summary.  The  first  volume  is  the  analysis  of  the  supporting 
data  contained  in  the  second  volume.  Volume  One  includes  a  discussion  on  formal  methods  and  a  brief 
characterization  of  die  formal  and  related  methods  used  in  the  cases,  a  summary  of  die  12  case*,  a 
description  of  the  methodology  used  in  the  survey,  a  cluster-by-cluster  analysis  of  the  data,  a  discussion 
on  the  key  events  and  timing  associated  with  each  case,  and  an  analysis  of  our  formal  methods  RAD 
summary;  it  concludes  with  the  findings,  observations,  and  conclusions.  The  appendixes  to  Volume  One 
contain  brief  biographies  of  the  authors,  brief  characterizations  of  11  formal  methods  used  in  the  cases, 
the  initial  questionnaire,  the  questionnaire  used  in  our  structured  interviews,  and  acknowledgements. 
Volume  Two  contains  detailed  supporting  data  on  the  12  cases. 

(U)  Through  these  means,  the  sponsors  have  been  provided  with  an  organized  body  of  systematic 
information ,  assessments ,  evaluations  and  observations  that  interpret  and  extrapolate  usefttl  data  on  cases 
of  significant  industrial  scale  and  applicability  to  real-world  products. 

(U)  This  Executive  Summary  presents  the  following: 

1.  (U)  A  summary  of  the  major  findings  of  the  study. 

2.  (U)  Recommendations  for  continuing  RAD  in  formal  methods. 

(U)  FINDINGS  AND  RECOMMENDATIONS 

(U)  The  Mowing  conclusions  are  the  result  of  applying  the  authon’ expertise  in  analyzing  the  cates. 

B-l 
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Fig.  13  —  Classified  Executive  Summary 
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AN  INTERNATIONAL  SURVEY  OF  INDUSTRIAL  APPLICATIONS 
OF  FORMAL  METHODS  (U) 

Volume  I 

PURPOSE,  APPROACH,  ANALYSIS  AND  CONCLUSIONS  (U) 


(U)  INTRODUCTION 

(U)  Fonnal  methods  are  mathematics lly  baaed  techniques,  often  supported  by  reasoning  tools  that 
can  offer  a  rigorous  and  effective  way  to  modal,  design  and  analyze  computer  systems.  The  purpose  of 
this  study  is  to  evaluate  international  industrial  experience  in  using  formal  methods.  The  cases  selected 
are,  we  believe,  representative  of  industrial-grade  projects  and  span  a  variety  of  application  donzdna.  The 
study  had  three  main  objectives: 

•  (U)  To  better  inform  deliberations  within  industry  and  government  on  standards  and  regulations; 

•  (U)  To  provide  an  authoritative  record  on  foe  practical  eaperiaoee  of  formal  methods  to  date;  and 

•  (U)  To  suggest  areas  where  ftmire  research  and  technology  development  are  needed. 

(U)  This  study  was  undertaken  by  fores  experts  in  formal  methods  and  software  engineering:  Dan 
Craigen  of  ORA  Canada,  Susan  Gerhart  of  Applied  Fonnal  Methods,  and  Ted  Ralston  of  Ralston 
Research  Associates.  Robin  Bloomfield  of  Adeiard  was  involved  with  the  Darlington  Nuclear  Generating 
Station  Shutdown  System  case.  Brief  biographies  of  foe  authors  are  included  in  Appendix  A. 

(U)  Support  for  this  study  was  provided  by  organizations  in  Canada  and  the  United  States.  The 
Atomic  Energy  Control  Board  of  Canada  (AECB)  provided  support  for  Dan  Craigen  and  for  foe  technical 
editing  provided  by  Karen  Summertkill.  TheU.S.  Naval  Research  Laboratory  (NRL),  Washington,  DC, 
provided  support  for  all  three  authors.  The  U.S.  National  Institute  of  Standards  and  Technology  (NIST) 
provided  support  for  Ted  Ralston. 

(U)  This  final  report  consists  of  two  volumes.  This  first  volume  describes  the  study,  formal  methods, 
die  cases  that  were  studied,  our  approach  to  performing  the  study,  and  our  analysis,  findings,  and 
conclusions. 

(U)  The  second  volume  of  the  final  report  provides  the  details  on  foe  case  studies.  For  each  at  the 
caee  studies,  we  present  a  case  description,  snmmariae  the  information  obtained  (from  Interviews  and  the 
literature),  provide  an  evaluation  of  the  case,  MgtiUgt*  RAD  issues  pertaining  to  formal  methods,  and 
provide  some  conclusions.  Earlier  drafts  of  the  case  studies  were  reviewed  by  the  relevant  participants. 

(U)  From  the  authors’  anelyiis  of  foe  12  cases  and  the  stated  RAD  needs  from  those  we  interviewed, 
other  areas  are  suggested  for  ftiture  RAD.  These  areas  are  drawn  from  the  particular  set  of  studied  caaea. 


H— -ript  wprovad  Man*  31, 1993. 
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Fig.  14  —  Classified  first  page  of  text 
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Oalgen,  Gerhart,  and  Ralston 

(0)  CASE  SUMMARY 

(U)  Twelve  projects  were  chosen  u  the  object  of  our  study.  These  projects  can  be  divided  into  three 
clusters:  regulatory,  commercial  and  exploratory.  Regulatory  cases  exhibit  safety-  or  security-critical 
attributes  and  thereby  attract  the  attention  of  the  standards  communities  and  agencies,  and  the  regulators 
who  will  license  die  product  for  use.  Commercial  cases  are  those  cases  that  involve  purely  profit 
concerns.  Finally,  the  exploratory  cases  are  those  cases  where  the  organizations  involved  were 
investigating  the  potential  utility  of  formal  methods  in  their  own  settings. 

(U)  The  cases  are  international,  involving  organizations  in  Canada,  the  United  Kingdom,  the  United 
States,  and  continental  Europe,  Available  resources  did  not  permit  the  inclusion  of  cases  from  Asia  or 
Australia. 

(U)  We  believe  dot  die  cases  collectively  uncover  many  factors  that  are  relevant  to  evaluating  the 
efficacy,  utility,  and  applicability  of  formal  methods.  The  cases  also  demonstrate  different  uses  of  formal 
methods.  For  example, 

•  (U)  “moddization,"  where  formal  languages  (e.g.,  Z)  are  used  to  model  systems; 

•  (U)  demonstrating  conformance  of  code  with  specifications; 

•  (U)  demonstrating  conformance  of  design  with  requirements;  and 

•  (U)  the  application  of  mathematical  reasoning  to  solve  difficult  conceptual  problems. 

(U)  Finally,  we  believe  that  the  cases  encompass  many  of  the  anecdotal  claims,  both  pro  and  con, 
regarding  formal  methods. 


(U)  In  the  remainder  of  this  section,  we  present  summaries  of  our  12  cases.  The  cases  are  inrrodnced 
in  the  context  of  the  clusters.  Our  analysis  of  the  collection  of  cases  will  be  based  on  these  dusters. 
Throughout  the  report  we  will  make  use  of  abbreviations  to  identity  the  cases;  these  abbreviations  are 
introduced  with  the  name  of  the  case.  Figure  2  presents  an  idea  of  the  size  of  the  applications  involved. 
Of  course,  “lines  of  code*  is  a  rather  superficial  measure  and  must  be  viewed  with  caution. 


(U)  Darlington:  Trip  Computer  Software  (DNCS) 

(U)  Ontario  Hydro  and  AECL  developed  computer-controlled  shutdown  systems  for  the  Darlington 
Nuclear  Generating  Station  (DNGS).  When  difficulties  arose  in  obtaining  an  operating  license  from  the 
Atomic  Energy  Control  Board  of  Canada  (AECB),  the  Canadian  regulator  for  nuclear  generating  stations, 
formal  methods  were  spplied  to  assure  AECB  that  the  software  met  requirements.  The  process  was  one 
of  poet-development  mathematical  analysis  of  requirements  and  code  using  Software  Cost  Reduction. 

(U)  The  specifications,  code  and  proofs  require  25  three-inch  binders  for  each  of  the  two  shutdown 
systems.  While  there  is  some  discrepancy  in  the  various  papers  on  the  amount  of  code  for  the  two 
shutdown  system,  the  definitive  word  was  that  one  of  the  shutdown  systems  (SDS1)  has  about  2500  lines 
of  code. 

(U)  The  use  of  the  Software  Cost  Reduction  approach  finally  convinced  the  AECB  that  the  shutdown 
system  was  no  longer  a  licensing  impediment.  The  eases  we  investigated  used  a  broad  collection  of  formal 
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(fU)  paragraph  continues) 

methods.  In  Appendix  B,  we  present  summaries  of  the  principal  formal  methods  that  are  mentioned  in 
die  report.  References  for  die  various  methods  are  included  and  our  readers  are  directed  to  thoee 
references  for  in-depth  presentations  of  the  methods.  Volume  2  of  the  Vienna  Development  Methodology 
symposium  proceedings  also  includes  tutorial  presentations  of  a  number  of  formal  methods. 

(U)  Specific  Formal  Methods 

(U)  The  cases  we  investigated  used  a  broad  collection  of  formal  methods.  In  Appendix  B,  we  present 
summaries  of  die  principal  formal  methods  that  are  mentioned  in  die  report.  References  for  the  various 
methods  are  included  and  our  readers  are  directed  to  those  references  for  in-depth  presentations  of  the 
methods.  Volume  2  of  the  Vienna  Development  Methodology  symposium  proceedings  also  includes 
tutorial  presentations  of  a  number  of  formal  methods. 

(U)  In  Fig.  1,  we  associate  the  methods  with  the  cases  in  which  they  have  been  used.  Appendix  B 
summarizes  die  metboda.  The  cases  are  summarized  in  Section  3. 


-  Software  Cost  Reduction  (SCR):  Darlington  Nuclear  Generating  Station  (DNGS) 

-  B.SACEM 

•  Qeanroom  Software  Methodology:  COBOL  Structuring  Facility  (COBOL/SF) 

•  Formal  Development  Methodology  (FDM):  Token-Based  Access  Control  System  (TBACS) 

•  Gypsy  Veritlcacioa  Environment  (GVE):  Malthas  Gateway  System  (MGS) 

-  Haste  Logic:  SACEM 

•  Occam  and  Communicating  Sequential  Processes  (CSP):  INMOS  Transputer 

-  RAISE:  Large  Correct  Systems  (LaCoS) 

-  Hewlett-Packard  SoecificMkxi  I 

-  TCAS  Methodology:  Traffic  Alert  and  Collision  Avoidance  System 

-  Z:  SSADM  Toolset,  Tektronix  oscilloscopes,  INMOS  Transputer _ 

UNCLASSIFIED 

Fig.  1  —  (U)  Fonml  Ddhods  used  in  surveyed  cases 

(U)  Our  summaries  of  the  methods  are  divided  into  two  parts:  we  discuss  how  the  method  works, 
and  present  some  observations.  We  subdivide  our  discussion  on  bow  the  method  works  by  identifying 
die: 

•  Representations  used:  What  are  the  underlying  notations? 

•  Steps  performed:  How  are  the  representations  used? 

•  Tools  applied:  What  tools  are  generally  uaed? 

•  Rotes  involved:  Who  does  what  and  what  skill  do  they  have? 

•  Artifacts  produced:  What  are  the  major  products  that  are  documented? 

(U)  For  our  observation*  we  describe  what  the  method  achieves  and  the  limitations  of  the  method. 
We  also  identify  other  techniques  that  are  supported  and  required  and  identify  die  user  community.  The 
rest  of  the  report  provides  detailed  information  concerning  the  data  collection  process  and  how  it  waa 
analyzed. 
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(U)  PATTERN  RECOGNITION  ALGORITHM 

(U)  Suppose  we  have  a  digitized  l  x  J  image  g  and  that  this  is  convolved  with  a  m«k  or  kernel  k 
of  size  (2N  +  1)  x  (2 N  +  1)  to  form  an  unsealed  image  h.  The  variables  involved  are  defined  by  Table 
1.  The  process  of  optimization,  u  shown  in  Fig.  1,  comprises  a  search  for  the  mask  in  a  domain,  or 
set  of  acceptable  macks,  K  for  which  k)  is  maximum. 


Table  1  -  (U)  Definitions  of  Variables 


Object 

Format 

Oats* 

Domainf 

Original  Image 

8-gO.J) 

«.l.ye  2 

0  SjSC 

1  S/S/ 

1  sy  S/ 

Convolution  Mask 

k  -  k(m,  n) 

iE  R 

-JT  Sisf 

m,  n  €  Z 

-N  Smsilf 

•Z  npresean  d»  stt  of  all  tagm  md  It  d»  M  of  al  real  anfaoi 

tC  ■  the  otailnmi  gray  level  ia  g,  aad  Kk  ihs  marl— l  atwokae  nine  tor  u  absent  of  k. 


UNCLASSIFIED 


UNCLASSIFIED 

R*.  1  —  (U)  Schematic  dfafnm  of  Mtonowooi  tufet-detoctioa  tymm 


(U)  The  convolution  operation  h  «  g  +  k  is  commonly  defined  by 

ff  ff 

Mi.J)  m  E  E  *«  ♦  m>  J  *  ">  •  *(*•  ">• 

m—M  ,.-M 

Where  a  mask  Is  used  as  a  feature  detector  (as  in  the  current  project),  it  is  normal  to  apply  the  zero-sum 
constraint 

ff  ff 

E  E  ")  *  °>  ® 

m-M  !•*# 


CLASSIFICATION 
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Appendix  A 

FORMAL  METHODS  TECHNIQUES  (U) 


(U)  SOFTWARE  COST  REDUCTION  (SCR) 

(U)  The  description  pretented  here  It  bued  on  our  understanding  of  the  work  performed  at  Ontario 
Hydro  (on  die  Darlington  shutdown  system).  This  work  includes  evolutionary  enhancements  to  (Henry 
1978)  by  Parnas,  Ida  colleagues,  and  others. 

(U)  How  (he  Method  Works 

(U)  Representations  Used 

(U)  Tabular  representations  of  software  requirements  (described  in  a  blackbox  manner)  and  of 
program  functions.  In  the  latter  case,  the  tabks  are  called  “program  function  tables*  and,  essentially,  are 
'strongest  post  condition’  descriptions  of  a  procedure.  The  strongest  post  condition  explicitly  states  how 
a  variable  is  modified  by  a  procedure.  Also  included  are  “linkage  tables.* 

(U)  The  tabular  qiproach  to  describing  software  requirements  is  derived  from  the  work  performed 
at  NRL.  For  this  reason,  we  call  the  approach  “SCR-style."  The  derivation  of  program  function  tables 
and  the  use  of  proofs  (described  below)  were  not  part  of  the  initial  work  on  the  SCR 

(U)  Steps  Performed 

(U)  The  Darlington  project  was  generally  a  reverse  engineering  exercise.  The  code  already  existed 
when  they  developed  the  specification  and  other  tables.  Proofs  were  required  to  demonstrate  that  a 
routine  specification  was  equivalent  to  the  program  function  description.  Proofs  were  performed  by  hand, 
though  it  could  be  mechanised. 

(U)  Code  linkage  tables  identify  how  the  outputs  of  a  program  function  table  may  be  used  u  inputs 
to  other  program  function  tables.  It  is  through  code  linkage  tables  that  all  the  physical  inputs  and  program 
variables  that  have  an  effect  on  a  physical  output  are  identified.  Similar  linkage  tables  exist  for  the 
specification.  Hence,  linkage  tables  help  to  modularize  the  descriptions  of  the  specification  and  code. 
Interaction  between  asynchronous  processes  was  viewed  as  interprocess  I/O  occurring  via  shared  data 
objects.  Each  process  had  its  own  specifications  and  program  function  tables.  Processes  were  analyzed 
separately  and  the  process  interaction  was  handled  separately  from  program  function  table  analysis. 

(U)  Toots  Applied 

(U)  No  specific  tools  exist  to  support  the  SCR-style  of  documentation.  Tools  are  expected  to  be 
developed. 
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FONTS 


Use  a  roman  typeface  such  as  CG  Times,  Times  Roman,  or  New  Times  Roman.  The  use  of  bold  and 
italic  fonts  of  these  typefaces  is  required  to  match  the  specified  format. 


Title 

Text 


CG  TIMES  BOLD  12  PT  FULL  CAPS 
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Heading  1 
Heading  2 
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Footer  A— Manuscript  approved 
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Inches 

Points 
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20 
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32 

3rd 
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66 

4th 

1.175 
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2.0 
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EXECUTIVE  SUMMARY  Arabic  numbers  starting  with  E-l  centered  at  bottom  of 

page  0.5  in.  from  bottom  edge  set  in  11  pt  CG  Times. 

MULTILINE  FIGURE  CAPTIONS 

If  a  figure  caption  is  two  lines  long,  the  second  line  is  centered  under  the  first  caption  line,  including 
the  figure  number.  If  the  figure  caption  is  three  or  more  lines  long,  the  lines  are  typed  full-figure  width, 
same  as  the  first  line  of  the  caption,  including  the  figure  number. 
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MULTILINE  TABLE  TITLES 

If  a  table  title  is  more  than  one  line  long,  subsequent  lines  are  centered  under  the  complete  first  line 
of  the  title,  including  the  table  number. 

PARAGRAPH  NUMBERING 

Paragraphs  generally  are  not  numbered.  However,  if  paragraph  numbering  is  required,  then  use  the 
numeric  decimal  system  with  an  em-space  between  the  number  and  the  heading  or  text. 


